LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   the art of installing ssl cert for apache on ubuntu (https://www.linuxquestions.org/questions/linux-server-73/the-art-of-installing-ssl-cert-for-apache-on-ubuntu-4175625644/)

sneakyimp 03-15-2018 05:24 PM

the art of installing ssl cert for apache on ubuntu
 
I'm familiar with acquiring and installing a cert for apache, but I'm hoping to gain a deeper understanding. In particular, I'm fuzzy on the web of trust, the intermediate cert, and the behavior of browsers in respect to validating a cert.

I created a private key, example.com.key, and used it to create a CSR, which I submitted to digicert where I obtained a ZIP file with the cert, example.com.crt, and another file, IntermediateCA.crt. I altered my default-ssl apache config to refer to these files like so:
Code:

// the cert we bought
SSLCertificateFile      /etc/ssl/xxx-cert/example.com.crt
// our private key
SSLCertificateKeyFile  /etc/ssl/xxx-private/example.com.key
// cert chain for the cert we bought
SSLCertificateChainFile /etc/ssl/xxx-cert/IntermediateCA.crt

And I restarted apache and things were mostly good, but when I used the recommended cert checker tool from Symantec (now owned by Digicert?), it looked mostly fine but had one complaint/warning:
Code:

Root installed on the server. For best practices, remove the self-signed root from the server.
This warning might make perfect sense to more experienced folks, but it seems vague and unspecific to me and doesn't seem to communicate the problem very precisely using orthodox terms. I searched around and did not find any obvious solutions.

I suspected it might be related to the SSLCertificateChainFile setting and after some trial and error, I downloaded DigiCertSHA2ExtendedValidationServerCA.pem from this page (which is pretty confusing) and then I altered my apache default-ssl config like so:
Code:

SSLCertificateChainFile /etc/ssl/xxx-cert/DigiCertSHA2ExtendedValidationServerCA.pem
This has remedied that one warning above, but I have no idea:
1) why this fixed the problem
2) what is the difference between the two files
3) why Digicert would have given me the IntermediateCA.crt file they did when it would cause that error on their very own ssl cert checker tool.
4) what browser behaviors what underlying cert validation process might have found to cause the complaint.

If anyone could help clear up the role of the SSLCertificateChainFile a bit -- or refer me to an explainer on the ssl validation process, I'd be most grateful.

sneakyimp 03-16-2018 05:46 PM

I also checked my installation using Qualys/SSL Labs' test and , while it gets an "A" rating, I see a few warnings:

Under the heading Certificate #1: RSA 2048 bits (SHA256withRSA) in its subsection Server Key and Certificate #1 It has "DNS CAA" highlighted in orange with a value of "No" and a link here. I understand that I need to create a DNS record but I'm having a bit of trouble understanding the exact values to put in this record and the implications of these values. In particular, I expect to install a wildcard cert at some point to support language subdomains. I'm not sure if I should use the issuewild property or whatever. I found a helper tool but would appreciate some advice. Given that I probably want to issue a wildcard certificate via Digicert, that tool returns this for me:
Code:

example.com.        CAA        0 issue "Digicert.com"
0 issuewild "digicert.com"
0 issuewild "Digicert.com"

I find the mixed case stuff a bit puzzling. I also wonder:
1) why 3 entries?
2) does case matter?
3) what is the impact of the issuewild property tag?
4) what does the value of zero do?

sneakyimp 03-17-2018 12:24 PM

More issues I've noticed. In the ssl labs report, it looks like Java 8u161 client choked on the cert:
Code:

Java 8u161 - Client aborts on SNI unrecognized_name warning
RSA 2048 (SHA256)  |  TLS 1.2  |  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  |  ECDH secp256r1

And down at the bottom of the SSL labs report, in the Protocol Details section, a warning Incorrect SNI alerts is highlighted.


All times are GMT -5. The time now is 05:01 PM.